74 new WordPress vulnerabilities were disclosed this week. Kirki hits 500,000 sites. Volume dropped 73% from last week’s 277. Here is every plugin and theme your team needs to check right now.

Page contents: Quick Numbers · Critical Vulnerabilities · Full Disclosure Table · Threat Trends · Defensive Checklist · FAQ

Quick Numbers

The volume drop from last week is real. Researchers and vendors cleared a massive backlog in late May, which front-loaded those numbers. However, the 74 disclosures this week still represent a full threat cycle worth of new attack surface.

Metric	This Week (Jun 1–7)	Last Week	Change
Total WP Vulnerabilities Disclosed	74	277	203
Vulnerable WordPress Plugins	72	184	110
Vulnerable WordPress Themes	2	70	68
Critical Severity (CVSS 9.0–10.0)	3	10	7
High Severity (CVSS 7.0–8.9)	11	106	11
Unpatched / Zero-Day	4	146	142

Top Vulnerability Classes This Week

Three weakness types dominated the June 1–7 batch, covering 78% of everything disclosed this week:

• Cross-Site Scripting (CWE-79): Present in 31 plugins and themes (both stored and reflected variants).
• Missing Authorization (CWE-862): Found in 18 components, allowing attackers to bypass login entirely and call privileged functions directly.
• SQL Injection (CWE-89): Confirmed in 9 plugins, 6 of which allow completely unauthenticated exploitation.

Critical WordPress Vulnerabilities (Action Required)

1. Kirki Freeform Page Builder <= 6.0.6 – Unauthenticated Privilege Escalation

• Plugin Slug: kirki
• Active Installations: 500,000+
• Affected Versions: 6.0.0 through 6.0.6
• CVE ID: CVE-2026-8206 | CVSS Score: 9.8 (Critical)
• Patch Status: Patched in version 6.0.7

What this vulnerability does:

The handle_forgot_password() function inside Kirki’s CompLibFormHandler class runs a custom REST API endpoint for password resets. It accepts a username and an email address directly from the HTTP request body.

The function fetches the account and generates a valid WordPress reset key, but then delivers the reset link to the attacker’s email address instead of the account owner’s address. An unauthenticated attacker can submit a high-privilege username, provide their own email, receive a valid password reset link, and log in as that administrator.

Threat Intel: Wordfence blocked 222 exploit attempts within 24 hours of public disclosure on June 2, 2026. Roughly 150,000 sites run the vulnerable 6.0.x branch.

Remediation:

Update to Kirki 6.0.7 immediately. After updating, audit your administrator accounts for any unfamiliar entries and review your site logs for REST API password reset requests containing suspicious email addresses.

2. Hippoo Mobile App for WooCommerce <= 1.9.4 – Unauthenticated Authentication Bypass

• Plugin Slug: hippoo-mobile-app-for-woocommerce
• CVE ID: CVE-2026-10580 | CVSS Score: 9.8 (Critical)
• Researcher: Mitchell
• Patch Status: No Fix Available (Check vendor for updated version)

What this vulnerability does:

The flaw lives inside HippooPermissions::get_user_permissions(), which returns the same null value for both administrators and unauthenticated visitors. HippooPermissions::has_role_access() reads that null and unconditionally treats it as full administrator access.

Because of this, every WordPress and WooCommerce REST route the plugin clones under /wc-hippoo/v1/ext/ gets __return_true assigned as its permission callback. An attacker who sends a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a new password in the body can reset the password of any user, including the site administrator, with no credentials at all.

Remediation:

Until a patch is available, deactivate and remove the plugin immediately. Review your site’s administrator accounts and REST API logs for suspicious password change requests targeting the /wc-hippoo/v1/ext/ namespace.

3. ARMember Premium <= 7.3.1 – Insecure Password Reset to Admin Account Takeover

• Plugin Slug: armember-membership
• CVE ID: CVE-2026-5076 | CVSS Score: 9.8 (Critical)
• Researcher: h0xilo
• Patch Status: Patched in version 7.3.2

What this vulnerability does:

When a user requests a password reset, ARMember Premium stores a plaintext copy of the reset key inside the arm_reset_password_key user meta field in wp_usermeta. (WordPress core normally stores only a properly hashed key in wp_users.user_activation_key).

ARMember’s plaintext copy is retrievable through a database read, which an attacker can reach by chaining it with the SQL injection flaw disclosed in the same batch (CVE-2026-5073, CVSS 7.5). Once an attacker retrieves the plaintext key, they use the plugin’s custom armrp reset action to set a new password for any account, converting a high-severity SQL injection into a full unauthenticated site takeover.

Remediation:

Update to ARMember Premium 7.3.2 immediately. After updating, purge any residual plaintext reset keys from wp_usermeta and rotate passwords for all administrator accounts.

Full WordPress Vulnerability Disclosure Table

Use this table to check every plugin and theme in your WordPress stack. Sort or prioritize your patching queue by CVSS score.

Plugin / Theme Name	Type	Affected Versions	CVE ID	CVSS	Vulnerability Type	Recommended Action
Hippoo Mobile App	Plugin	<= 1.9.4	CVE-2026-10580	9.8	Unauth. Auth Bypass / Admin Takeover	Update to 1.9.5
ARMember Premium	Plugin	<= 7.3.1	CVE-2026-5076	9.8	Insecure Password Reset / Privilege Escalation	Update to 7.3.2
Kirki Page Builder	Plugin	6.0.0–6.0.6	CVE-2026-8206	9.8	Unauth. Privilege Escalation via API	Update to 6.0.7
Gravity Forms	Plugin	<= 2.10.0.1	CVE-2026-48866	9.1	Unauthenticated Arbitrary File Deletion	Update Now
WP Captcha PRO	Plugin	<= 5.38	CVE-2026-5415	8.8	Authenticated Auth Bypass via Temp Link	Update Now
WP Captcha PRO	Plugin	<= 5.38	CVE-2026-5411	8.8	Missing Auth to Arbitrary File Upload	Update Now
Admin Columns	Plugin	<= 7.0.18	CVE-2026-7654	8.8	Authenticated PHP Object Injection to RCE	Update Now
Content Visibility (Divi)	Plugin	<= 4.02	CVE-2026-1829	8.8	Authenticated Remote Code Execution	Update Now
WP User Manager	Plugin	<= 2.9.17	CVE-2026-9290	7.5	Unauth. Path Traversal to LFI	Update Now
SP Project & Doc Mgr	Plugin	<= 4.71	CVE-2026-10737	7.5	Missing Auth / Arbitrary File Disclosure	Update Now
ARMember Premium	Plugin	<= 7.3.1	CVE-2026-5073	7.5	Unauth. SQL Injection via ‘order’ Parameter	Update to 7.3.2
Booking Package	Plugin	<= 1.7.16	CVE-2026-9851	7.2	Authenticated Account Takeover	Update Now
MDJM Event Mgmt	Plugin	<= 1.7.8.3	CVE-2026-7537	7.2	Authenticated Arbitrary File Upload	Update Now
Freshsales Integration	Plugin	<= 1.0.15	CVE-2026-8901	7.2	Unauth. Stored XSS via Form Data	Update Now
All-In-One Security (AIOS)	Plugin	<= 5.4.7	CVE-2026-8438	7.2	Unauth. Stored XSS via REST API Path	Update Now
Gutenberg Essential Blocks	Plugin	<= 6.1.3	CVE-2026-10586	7.2	Authenticated SSRF	Update Now
WP Statistics	Plugin	<= 14.16.6	CVE-2026-48839	7.2	Unauthenticated Stored XSS	Update Now
LearnPress Backup	Plugin	<= 4.1.4	CVE-2026-7566	6.6	Authenticated PHP Object Injection	Update Now
Photo Gallery (10Web)	Plugin	<= 1.8.41	CVE-2026-9829	6.5	Authenticated SQLi via Shortcode	Update Now
MasterStudy LMS Pro+	Plugin	<= 4.8.20	CVE-2026-8653	6.5	Authenticated SQLi via ‘columns’ Parameter	Update Now
54 Other Components	Mixed	Various	Various	< 6.5	XSS, Missing Auth, CSRF, IDOR	Check Priority

Note: Wordfence Intelligence lists the full dataset for June 2026. Cross-reference your installed plugins against their database weekly to stay fully secure.

WordPress Security Threat Trends: Week of June 1–7, 2026

The volume drop does not signal a quieter threat environment. Attackers operate on their own schedule regardless of disclosure volume. Two main trends stand out this week:

Password Reset Abuse is Skyrocketing

Privilege escalation via password reset abuse is a growing attack pattern. The Kirki vulnerability (CVE-2026-8206) is the second major plugin this year to carry a flaw where the password reset function delivers a valid reset token to an attacker-controlled email.

Plugin developers who build custom REST API authentication flows often test whether a reset key generates correctly, but fail to validate if the delivery destination is secure. Wordfence’s bug bounty program paid $6,436 for this discovery—a reward that directly reflects how dangerous this vulnerability class is.

AI Automated Threat Detection Compresses Exploitation Windows

AI-powered threat detection is compressing exploitation windows. Platforms are catching authentication bypasses within weeks of a developer introducing them into new versions. In previous years, these flaws would typically surface through active in-the-wild exploitation rather than automated code analysis.

The Kirki flaw traveled a incredibly fast path: reported May 4, validated May 8, and a firewall rule deployed May 9. Attackers are getting a shrinking runway between vulnerability introduction and security detection, but sites running outdated plugins will still lose that race.

WordPress Security Best Practices: Defensive Checklist

Apply these sequential controls to reduce your blast radius when a new vulnerability hits before a vendor patch is available:

1.Deploy Edge Virtual Patching:

Immediate Protection.

Ensure your Web Application Firewall (WAF) pushes rule updates for known CVEs within hours of disclosure. High-severity issues require network-edge mitigation to block payloads before they hit your application layer.

2.Audit Administrator Accounts:

Weekly Frequency.

Because flaws like Kirki allow immediate account hijacking, review your active WordPress Users list weekly. Look for unauthorized accounts or altered email addresses.

3.Purge and Delete Inactive Plugins:

Monthly Hygiene.

Do not just deactivate unused plugins—completely delete them from the filesystem. Inactive code bases are still highly vulnerable to Local File Inclusion (LFI) and directory traversal exploits.

4.Inspect the mu-plugins Directory:

Deep Audit.

Manually inspect /wp-content/mu-plugins/. Attackers frequently drop malicious webshells here because Must-Use plugins load automatically and do not appear in the standard plugin dashboard grid.

5.Enforce Two-Factor Authentication (2FA):Global Policy.

Mandate TOTP-based 2FA for all administrative accounts. Even if a plugin flaw allows an attacker to maliciously generate a valid password reset token, 2FA will stop the authentication cycle from completing.

Frequently Asked Questions About WordPress Vulnerabilities {#faq}

What is a WordPress plugin vulnerability?

A security flaw in third-party plugin code that an attacker can exploit to gain unauthorized access, steal data, inject malicious scripts, or take over a site. The vast majority of WordPress compromises target plugins, not core software.

How do I check if my WordPress site has vulnerable plugins?

Install an enterprise scanner like Wordfence or Patchstack. Both scan your installed plugin stack against live threat databases and alert you the second a plugin you run receives a new CVE.

What does a CVSS score mean?

The Common Vulnerability Scoring System (CVSS) rates vulnerability severity from 0 to 10. Scores from 9.0 to 10.0 are Critical and require immediate mitigation within 24 hours. Scores from 7.0 to 8.9 are High severity.

What is an unpatched WordPress vulnerability?

Often called a zero-day, it is a security flaw with no official fix yet released by the developer. The correct immediate action is to deactivate and delete the plugin and switch to an alternative.

What is cross-site scripting (XSS)?

A flaw where an attacker injects malicious JavaScript into a site’s database (Stored) or via a URL (Reflected). When other users load the page, the script executes, allowing cookie theft or unauthorized redirection.

What is SQL injection (SQLi)?

SQLi occurs when a plugin builds database queries using unsanitized user input. Attackers use this to bypass authentication entirely, extract structural database info, or drop records.

Sources & References:

• Wordfence Intelligence Vulnerability Database ([wordfence.com/threat-intel/vulnerabilities](https://wordfence.com/threat-intel/vulnerabilities))
• Wordfence Bug Bounty Program Disclosures (CVE-2026-8206)
• Patchstack Vulnerability Database (patchstack.com)
• National Vulnerability Database (nvd.nist.gov)

wpsecurestack publishes this WordPress vulnerability roundup every week. Bookmark this page and return each Sunday for the latest threat intelligence insights. or check out our vulnerability database